Search and menus

Search

Topics menu

You are here:

Online Behavioral Advertising and Canada’s Investigation on Facebook

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Archived

Remarks at the Privacy Laws and Business 23rd Annual Conference

July 6, 2010
Cambridge, United Kingdom

Chantal Bernier
Assistant Privacy Commissioner of Canada

(Check against delivery)

Introduction

Thank you for giving me this opportunity to share with you the reasoning and findings of the Office of the Privacy Commissioner of Canada in its 2009 investigations on Facebook. I will focus on the findings that relate specifically to the issue of behavioural advertising.

I. As an overview of my presentation

I will first elaborate on the context of the OPC Facebook investigation, including the definitions and distinctions that we feel must be made in the general field of online personalised advertising;

Then I will describe our reasoning and findings in the 2009 Facebook investigation and,

Finally, I would like to share with you our thinking on what we see as the emerging issues to tackle in relation to online behavioural advertising.

Facebook has changed its policies on advertising since our report and my presentation is based on our report.

II. The OPC’s Facebook investigation

The complaint into Facebook was filed with us in 2008 by the Canadian Internet Policy and Public Interest Clinic (CIPPIC), a clinic affiliated to the University of Ottawa.

It contained 24 allegations, ranging over 11 subjects including raising issues of knowledge and consent, retention of personal information and security safeguards. Of interest for this talk are the allegations concerning advertising.

CIPPIC alleged that: Facebook,

Does not make a reasonable effort to notify users of how it uses their personal information for advertising purposes,

Improperly uses opt-out instead of opt-in relation to Social Ads,

Does not allow opt out in relation to Facebook,

Ads, in contravention of Canadian law, and therefore,

Since users are not allowed to opt out of Facebook Ads, that Facebook makes agreement to advertising a condition of service in contravention of Canadian law.

III. Findings

In general, the findings of the OPC investigations may be divided into two main categories: some Facebook practices had to change and some practices needed to be better explained. The latter applied to targeted and behavioural online advertising.

IV. Differential impact of behavioural advertising

Because our findings turn upon the distinction between different forms of online advertising, I would like at this point to clarify the definitions we use and differentiate their legal impact:

Personalised advertising may take different forms:

Contextual advertising is delivered in response to current on-line activities, without collection or retention of personal information; for example, a user visits a holiday site, and receives advertising for hotels in the area; there is no correlation between identity and a profile of on-line activity; the on-line activity that triggers the advertising is the current activity and does not involve collection of personal information;

Behavioural advertising is defined as “a marketing practice of targeting advertisements to users on the basis of observed or known personal characteristics, such as age, profile and online activity; it therefore entails the collection and retention over time of personal data and it involves consumer tracking;

The personal information collected may include IP address, pages visited, length of time spent on pages, article read, purchases etc … and it tracks a pattern of on-line activities;

Behavioural advertising in our view, is more intrusive than contextual advertising because it targets activities and connects them to identity; this intrusion is of concern in itself, in the degree of surveillance it entails, but it is also of concern for its impact on the components of the right to privacy:

The exercise of fundamental freedoms that privacy is meant to protect may be, in effect, curtailed;

The right to accuracy of personal information is compromised by speculation about a person’s characteristics or interests – there are many reasons to visit a site that may escape the mere tracking of the site visited; there are several inferences that may be made on the basis of age or gender that may not be accurate;

And finally, the extrapolation that is made about a consumer’s interests stretches the notion of consent: choosing to target a user for advertising assumes a level of receptiveness, or consent about the use of personal information, that may simply not be there.

V. Facebook Investigation

Going back to our investigation of privacy protection on Facebook, we made a distinction between Facebook Ads, which we do not consider behavioural advertising, and Social Ads, which we do consider to constitute behavioural advertising.

Our findings were based on the resolution of the following issues:

Does advertising on Facebook constitute a primary or secondary purpose for the collection of personal information?

How intrusive is the advertising in relation to its collection and use of personal information?

Do the settings provide for meaningful consent?

Does the advertising function entail third party disclosure of personal information?

Are Facebook policies adequately transparent about the management of personal information in relation to advertising?

I will address each issue in relation to our considerations and findings.

VI. Purpose

First, in relation to purpose, we considered whether advertising on Facebook constituted primary or secondary purpose.

The OPC considers that a primary purpose for collecting personal information is one that is essential to the delivery of the service. A secondary purpose is additional to the purpose for which the information was needed in the first place.

The distinction impacts upon the regime around consent: if personal information is collected as essential to the delivery of the service, a primary purpose, the user is requires to consent to obtain the service. If the personal information is collected used or disclosed for other reasons than the provision of the service, therefore a secondary purpose, then consent must be specifically sought for that purpose.

In the case of Facebook, we applied Canadian law in the context of a new business model: Facebook offers its services for free, and therefore must generate other revenues to cover its costs. Those revenues come from advertising. In this context, we found that advertising was essential to the delivery of the Facebook service, and, therefore constitutes a primary purpose.

Consequently, users should be willing to receive a certain amount of advertising.

That being said, a distinction must be made in relation to the level of intrusiveness of the advertising. Which brings me to the second issue we considered.

VII. Intrusiveness

At the time of our investigation, Facebook had two types of advertising: Facebook Ads and Social Ads.

Facebook Ads are based on personal characteristics, whether demographic profile or key words. Users must consent to Facebook Ads in order to use the site – there is no ability to opt out. They appear only for the user to see and the user is not co-opted in endorsing a product. The information Facebook passes on to the advertisers is aggregate and therefore, there is no disclosure of users’ personal information to advertisers.

Social Ads are triggered, instead, by social actions, activities, such as becoming fan of a page, joining a group, appearing on Newsfeed. The advertisement is based on the promotion by one user of a product or service to that user’s confirmed friends. The advertiser does not have access to the user’s personal data, but the advertisement links the product or service to the user’s identity. Users can opt out of Social Ads and can control which of their actions will appear in their friends Newsfeed. Users can, therefore, exercise some control on what personal information will be used in Social Ads.

In our view, the level of intrusiveness of Facebook Ads and Social Ads is different: Social Ads were found to be “inherently intrusive” because they use an individual’s actions, thumbnail photo and name to promote a certain product or service. The ad is put on the Newsfeed and intertwines itself with the user’s and friends activities. Social Ads not only associate identity with the advertisement, it also creates the appearance of an endorsement.

This level of intrusiveness dictates that:

Users cannot be reasonably expected to have given implied consent to this use of personal information and

That they should be able to opt out.

Which leads to the third salient issue in regard to our findings on Facebook advertising, which is consent.

VIII. Consent

It flows from the level of intrusiveness we found in regard to Social Ads, and therefore behavioural advertising on Facebook, that consent cannot be implied in relation to behavioural advertising. Consent is needed and for it to be meaningful the purposes for which the personal information is collected and used must be explicitly specified.

In Canadian law, that requires that the purposes be “stated in such a manner that the individual can reasonably understand how the information will be used or disclosed” (Principles 4.3.3. and 4.3.2. of the National Standard of Canada model Code for the protection of personal information”)

This entails that Facebook must make a reasonable effort to notify users of these purposes. Our finding in that regard was that,

Considering the prominent and essential role of advertising in Facebook’s business model, Facebook must better explain in its Privacy Policy its use of advertising, its use of users information for purposes of targeted advertising, and the extent of users ability to opt out;

The discussion in the Facebook Privacy Policy must be more details,

The difference between Facebook Ads and Social Ads must be better explained and

The Privacy Policy must clearly indicate that users may opt out of Social Ads but not of Facebook Ads.

In conclusion, in relation to consent, we found that Facebook was not making “ a reasonable effort to ensure that individuals were advised of the purposes for which the information was gathered, in contravention of Canadian law (Principle 4.3.2. of the Model Code).

IX. Disclosure

In relation to disclosure the Facebook model we looked at in our investigation, did not entail disclosure of users’ personal information to advertisers. In the model we looked at, advertisers would indicate to Facebook the demographic group they wanted to reach. Facebook would serve the ads. In that context, disclosure is not an issue.

X. Accountability

Finally, in relation to accountability, I believe it came out through my description of the previous issues, that we found that Facebook Privacy Policy does not entirely meet accountability standards in relation to:

The clarity and extent of information provided on the use of personal information with regard to behavioural advertising;

The distinction between the purposes of use of personal information for Facebook Ads and for Social Ads, which was not sufficiently clear and did not meet standards of notification,

The limitation of consent was not supported by sufficient information to exercise meaningful consent and

Through lack to detail, the policies and practices do not meet the requirement for openness.

XI. Moving forward

We made two recommendations in our Facebook investigation in relation to advertising, that are still relevant today. However, in this fast evolving field, we need to look at how practices evolve in order to assert corresponding privacy protection.

Our first recommendation was that Facebook Privacy Policy Section be expanded to:

More fully explain the role of advertising in Facebook’s environment,

More fully explain the differences between Facebook Ads and Social Ads, particularly in relation to the ability to opt out, and

Inform users of the use of their profile information for targeted advertising purposes.

Our second recommendation was for Facebook to provide a reminder, at all locations where uploading of information may trigger advertising, that the uploaded personal information is being used for advertising and a link that brings users directly to the Facebook Privacy Policy.

Facebook accepted the first recommendation but objected to the second, stating that it was opposed to interruptive notices that disrupt the users experience.

Still, Facebook agreed to configure its systems to allow users to easily access information about site operations and provide feedback, including on privacy.

Since our investigation, behavioural advertising has become much more prominent and intrusive, raising a few issues that I put to you for consideration to move forward.

The first issue to consider is anonymity. Is behavioural advertising truly anonymous?

The advertising and analytics industries have traditionally claimed that their activities fall outside the scope of privacy laws because they only collect and use anonymized data

This may have been true in the early days of the internet. However, in the current web environment, users are routinely tracked across multiple websites and anonymity on the web is becoming a relic of the past. There is also a growing body of research showing how easily data that is thought to be anonymous can be re-identified.

Facebook says it only discloses anonymized data to advertisers. However, through its architecture, Facebook makes a lot of identifiable user data easily accessible. All information on Facebook that is set to be visible to “everyone” as well as information that falls into the “publicly available” category (currently name, profile picture, gender and network) is accessible to anyone on the internet, including the advertising and analytics companies. Facebook is a rich source of data for companies that specialize in compiling consumer profiles.

Our concern for privacy is that this data is linked to identifiable individuals because Facebook requires that its members use their real names.

The public data of Facebook users can be linked by data analytics companies with information they have gathered across various websites to compile fairly detailed profiles of real people.

Facebook itself is moving quickly in the direction of gathering data about its members not just on its website but across the internet. With the recent introduction of the open graph and social plug ins, Facebook is now tracking its members movements and activities on, at last count, 200,000 websites. Time will tell what monetization initiatives will result and what the impact on users privacy will be.

The second issue to examine in moving forward is the emergence of corporate surveillance

With the rise of social networks, comes the rise of possibilities, and perceived advantages, for tracking individuals. As a result, the opportunities for surveillance by both business and government are unprecedented to monitor purchase trends, political opinions, social affiliations or geographical movement.

The long term social consequences of this, especially for our children, are only beginning to be considered and studied.

A third issue is consent and control

People need to be educated about the tracking that occurs on social networks, including tracking, aggregation and analytics in order to be able to make an informed decision about what services to use and what information to disclose.

Research and surveys in Canada show that Canadians are largely unaware of online tracking. In one survey, only 45% answered they knew what behavioural advertising was;

At the same time, surveys show that when they do know about online advertising, about 75% of them are nor comfortable with it; 50% are not comfortable with advertisers knowing their browsing history and 58% are concerned about their privacy online. Virtually nobody (4%) said that privacy online was not an issue.

Even consent for aggregated data is problematic in that consumers consent to a specific transaction (I will upload my current location so that my friends know where I am) but not to a secondary purpose of having their data be aggregated over time.

The peer pressure to participate in social networking is so powerful that we must consider whether it undermines consent.

A fourth issue that we are only beginning to explore is the impact of the intrusion in youth privacy on the Internet, through behavioural advertising.

Considering, as I just mentioned, the ubiquity of social networking as a forum of socialising, the issue of free consent to participate must be rethought, particularly for youth.

The type casting, so to speak, that comes with behavioural advertising must also be specifically examined in light of its impact on personal development in that age group.

Considering youth vulnerability, questions of personal integrity and psychological development arise as a result of the erosion of youth privacy online.

The last issue I would put for consideration as we move forward, is the trend towards self-regulation of social networks.

While self-regulation is ideal, I believe general experience of any industry is that self-regulation has proven it is not enough. We need a legislative framework that corresponds to the specific challenges of privacy on the Internet.

At OPC, we recently held Consumer Privacy Consultations that included two 1-day sessions on behavioural advertising and targeting where invited experts talked about what is happening in the industry and whether PIPEDA was adequate to address this new privacy challenge.

The results of the consultations will help inform our position on the evolution of our private sector privacy legislation and will be published in the Fall.

Looking to the future, these are issues we are still examining as a priority to protect privacy as the online world evolves.

As for the Facebook investigation, we are still in discussions with Facebook on the implementation of our report.